install simplerisk on ubuntu 14.04 (apache:mysql:php) · install simplerisk on ubuntu 14.04...

9
Install SimpleRisk on Ubuntu 14.04 Introduction SimpleRisk is a simple and free tool to perform risk management activities. Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time and can be downloaded for free or demoed at https://www.simplerisk.it/. Disclaimer The lucky security professionals work for companies who can afford expensive GRC tools to aide in managing risk. The unlucky majority out there usually end up spending countless hours managing risk via spreadsheets. It’s cumbersome, time consuming, and just plain sucks. When Josh Sokol started writing SimpleRisk, it was out of pure frustration with the other options out there. What he’s put together is undoubtedly better than spreadsheets and gets you most of the way towards the “R” in GRC without breaking the bank. That said, humans can make mistakes, and therefore the SimpleRisk software is provided to you with no warranties expressed or implied. If you get stuck, you can always try sending an e-mail to [email protected] and we’ll do our best to help you out. Also, while SimpleRisk was written by a security practitioner with security in mind, there is no way to promise that it is 100% secure. You accept that as a risk when using the software, but if you do find any issues, please report them to us so that we can fix them ASAP. Install Ubuntu SimpleRisk should be able to work on just about any operating system that is capable of running PHP and MySQL. Since the purpose of this guide is to get you up and running with SimpleRisk as quickly as possible, we assume that you are using Ubuntu, a FREE and easy to use Linux-based operating system. Download the latest version of Ubuntu (at the time of this writing it’s 14.04) and install it. See the Ubuntu documentation if you are having any issues there. Once you have a working installation, you can move on to the next installation steps. Get the Latest Ubuntu Updates Log in to your Ubuntu installation using the username and password you defined at setup. Select the Unity menu (the one at the very top of the bar on the left) and type “terminal” in the field that pops up. This should show you a shortcut to the terminal application. You can click it to launch the terminal, but

Upload: others

Post on 10-Jun-2020

39 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: INSTALL SIMPLERISK ON UBUNTU 14.04 (APACHE:MYSQL:PHP) · Install SimpleRisk on Ubuntu 14.04 Introduction SimpleRisk is a simple and free tool to perform risk management activities

InstallSimpleRiskonUbuntu14.04

IntroductionSimpleRiskisasimpleandfreetooltoperformriskmanagementactivities.BasedentirelyonopensourcetechnologiesandsportingaMozillaPublicLicense2.0,aSimpleRiskinstancecanbestoodupinminutesandinstantlyprovidesthesecurityprofessionalwiththeabilitytosubmitrisks,planmitigations,facilitatemanagementreviews,prioritizeforprojectplanning,andtrackregularreviews.Itishighlyconfigurableandincludesdynamicreportingandtheabilitytotweakriskformulasonthefly.Itisunderactivedevelopmentwithnewfeaturesbeingaddedallthetimeandcanbedownloadedforfreeordemoedathttps://www.simplerisk.it/.

DisclaimerTheluckysecurityprofessionalsworkforcompanieswhocanaffordexpensiveGRCtoolstoaideinmanagingrisk.Theunluckymajorityoutthereusuallyendupspendingcountlesshoursmanagingriskviaspreadsheets.It’scumbersome,timeconsuming,andjustplainsucks.WhenJoshSokolstartedwritingSimpleRisk,itwasoutofpurefrustrationwiththeotheroptionsoutthere.Whathe’sputtogetherisundoubtedlybetterthanspreadsheetsandgetsyoumostofthewaytowardsthe“R”inGRCwithoutbreakingthebank.Thatsaid,humanscanmakemistakes,andthereforetheSimpleRisksoftwareisprovidedtoyouwithnowarrantiesexpressedorimplied.Ifyougetstuck,[email protected]’lldoourbesttohelpyouout.Also,whileSimpleRiskwaswrittenbyasecuritypractitionerwithsecurityinmind,thereisnowaytopromisethatitis100%secure.Youacceptthatasariskwhenusingthesoftware,butifyoudofindanyissues,pleasereportthemtoussothatwecanfixthemASAP.

InstallUbuntuSimpleRiskshouldbeabletoworkonjustaboutanyoperatingsystemthatiscapableofrunningPHPandMySQL.SincethepurposeofthisguideistogetyouupandrunningwithSimpleRiskasquicklyaspossible,weassumethatyouareusingUbuntu,aFREEandeasytouseLinux-basedoperatingsystem.DownloadthelatestversionofUbuntu(atthetimeofthiswritingit’s14.04)andinstallit.SeetheUbuntudocumentationifyouarehavinganyissuesthere.Onceyouhaveaworkinginstallation,youcanmoveontothenextinstallationsteps.

GettheLatestUbuntuUpdatesLogintoyourUbuntuinstallationusingtheusernameandpasswordyoudefinedatsetup.SelecttheUnitymenu(theoneattheverytopofthebarontheleft)andtype“terminal”inthefieldthatpopsup.Thisshouldshowyouashortcuttotheterminalapplication.Youcanclickittolaunchtheterminal,but

Page 2: INSTALL SIMPLERISK ON UBUNTU 14.04 (APACHE:MYSQL:PHP) · Install SimpleRisk on Ubuntu 14.04 Introduction SimpleRisk is a simple and free tool to perform risk management activities

itmaybeagoodideatodragittotheUnitybarontheleftfirstsothatyoucaneasilystartitinthefuture.

Oncetheterminalislaunched,youwillwanttoupdatetheOStothelatestsoftwareversionsavailable.Todothisrun“sudoapt-getupdate”andenteryourpasswordwhenprompted.

Thiswillpulldownthelatestversioninformationforalloftheinstalledoperatingsystemfiles.Nowrun“sudoapt-getdist-upgrade”andanswer“y”whenitasksifyouwouldliketocontinue.

Page 3: INSTALL SIMPLERISK ON UBUNTU 14.04 (APACHE:MYSQL:PHP) · Install SimpleRisk on Ubuntu 14.04 Introduction SimpleRisk is a simple and free tool to perform risk management activities

InstallingApache,PHP,andMySQLThenextstepistoinstallthenecessaryfilesinordertorunApachewithPHPandMySQLonthissystem.Todo,thisfirstrunthecommand“sudoapt-getinstalltasksel”.

Next,telltheservertoinstallaLAMPstackbyrunningthecommand“sudotaskselinstalllamp-server”.

YoushouldnowseetheterminalchangeintoapackageconfigurationapplicationthatdownloadsandinstallstheapplicationsnecessaryinordertorunaLAMPstackontheserver.EventuallyitwillpausetheinstallinordertoaskyoutospecifyaMySQL“root”password.Generatealongandrandompasswordandsaveitoffinasecurelocationsothatyoucanaccessitlater.Youwillknowthatthisinstallationprocessiscompletewhenthepackageconfigurationscreengoesawayandyouarebackattheterminalshell.

ConfiguringApachefortheSimpleRiskAPI1) Runthecommand“a2enmodrewrite”toenablemod_rewriteforApache.2) OpenthefilecontainingtheApachesiteconfiguration.Thisislikelyfoundunder

/etc/apache2/sites-enabled.3) Findthe“Directory”sectionforyoursimplerisksiteandaddalineatthetopfor“AllowOverride

all”.Itshouldlooksomethinglikethis:

Page 4: INSTALL SIMPLERISK ON UBUNTU 14.04 (APACHE:MYSQL:PHP) · Install SimpleRisk on Ubuntu 14.04 Introduction SimpleRisk is a simple and free tool to perform risk management activities

4) RestartApachebyrunningthecommand“serviceapache2restart”.

ObtainingtheSimpleRiskFilesClickontheFireFoxlogointheUnitybarontheleft.OnceFireFoxloads,enterhttps://www.simplerisk.it/intotheURLbartogototheSimpleRisksite.Clickonthe“Download”linkatthetop.

ClicktodownloadandsaveboththeWebBundleandtheInstallerScript.Onceyouhavethefilesdownloaded,youcanclosethebrowser.

InstallingtheWebFilesChangetothenewApachewebrootbyrunningthecommand“cd/var/www/html”.

Page 5: INSTALL SIMPLERISK ON UBUNTU 14.04 (APACHE:MYSQL:PHP) · Install SimpleRisk on Ubuntu 14.04 Introduction SimpleRisk is a simple and free tool to perform risk management activities

Removethedefaultindexpageusingthecommand“sudormindex.html”.Extractthewebbundleintothewebdirectoryusingthecommand“sudotarxvzf~/Downloads/simplerisk-20160612-001.tgz”(orwhateverthemostcurrentversionavailableis).

Thiswillextractthefilesintoadirectoryunderthewebrootnamed“simplerisk”.Youwillneedtoaccessthefileswitha“/simplerisk”appendedtotheURL.Optionally,youcanrunthefollowingcommandstomoveittothewebroot:

• sudomvsimplerisk/*.• sudormdirsimplerisk

Changetheownershippermissionsofthe“simplerisk”directoryandallitssub-directoriestobeownedbythewww-datauser(orwhateveruserApacheisrunningas)usingthecommand“sudochown–Rwww-data:/var/www/html”.

InstallingtheDatabaseExtractthecurrentSimpleRiskinstallertothe“simplerisk”directoryusingthecommand“sudotarxvzf~/Downloads/simplerisk-installer-20160612-001.tgz”(orwhateverthemostcurrentversionavailableis).Thiswillcreateanew“install”directory.Next,inyourwebbrowser,navigatetohttp://localhost/install

Page 6: INSTALL SIMPLERISK ON UBUNTU 14.04 (APACHE:MYSQL:PHP) · Install SimpleRisk on Ubuntu 14.04 Introduction SimpleRisk is a simple and free tool to perform risk management activities

onyourSimpleRiskinstance.Ifeverythingworksasexpected,youwillseeaninstallerpagedesignedtoconfigurethedatabaseforyou.

UndertheDatabaseConnectionInformation,provideitwithyourdatabasehostname,port,username,andpassword.UndertheSimpleRiskInstallationInformation,provideitwiththeSimpleRiskdatabasehostname,databasename,andusernamethatyouwouldlikeSimpleRisktouse.ArandompasswordwillbegeneratedfortheBydefault,itwillgenerateastrong,randomlygenerateddatabasepasswordandwerecommendthatyoukeepthatvalue.UndertheSimpleRiskConfigurationInformation,youhavetheabilitytochoosethedefaultlanguage,sessiontimeouts,defaulttimezone,andotheroptions.Withtheexceptionofthedatabaseschemalanguageandtimezone,werecommendthatyoukeepthedefaultvalues.Whenthescriptcompletes,itwillaskifyouwouldliketoinstallanew/includes/config.phppage.Select“Update”tohaveitautomaticallyupdatedwiththeinstallerinformation.Ifitdoesnothavepermissiontowritetothefile,orcannotfindtheexistingconfig.phpfile,thenitwillprovideyouwiththecontentstoplaceinitinstead.Itisalwaysagoodideatodeletethe“install”directoryonceitisnolongerneededusingthecommand“sudorm–rinstall”.

Page 7: INSTALL SIMPLERISK ON UBUNTU 14.04 (APACHE:MYSQL:PHP) · Install SimpleRisk on Ubuntu 14.04 Introduction SimpleRisk is a simple and free tool to perform risk management activities

LoggingintoSimpleRiskYoushouldnowhaveperformedallofthestepsyouneedtoforSimpleRisktobeupandrunning.Nowisthemomentoftruthwherewehopefullygettoseeifallofyourhardworkpaidoff.YounowneedtopointyourwebbrowsertotheURLwhereSimpleRiskwouldbeinstalled.Ifyoufollowedtheoptionalinstructions,thenitshouldbelocatedathttp://localhost/.Ifyoudidnot,thenitisprobablylocatedathttp://localhost/simplerisk.Youwillknowthatyou’vegottherightpagewhenyouseesomethinglikethis:

Enterusername“admin”andpassword“admin”togetstarted.Then,selectthe“Admin”dropdownatthetoprightandclickon“MyProfile”.

Enteryourcurrentpasswordas“admin”andplaceanewlongandrandomlygeneratedpasswordintothe“NewPassword”and“ConfirmPassword”fields.Thenclick“Submit”.

Page 8: INSTALL SIMPLERISK ON UBUNTU 14.04 (APACHE:MYSQL:PHP) · Install SimpleRisk on Ubuntu 14.04 Introduction SimpleRisk is a simple and free tool to perform risk management activities

Youshouldreceiveamessagesayingthatyourpasswordwasupdatedsuccessfully.Ifso,thenthisisyournew“admin”passwordforSimpleRisk.Ifyoureceivedamessagesayingthat“Thepasswordentereddoesnotadheretothepasswordpolicy”,youcanchangethepolicybyselecting“Configure”fromthemenuatthetopfollowedby“UserManagement”ontheleftside.Youwillseea“PasswordPolicy”sectionatthebottomofthepagewhereyoucanchangethepolicyandtrychangingyourpasswordagain.

RegisteringSimpleRiskThisstepiscompletelyoptional,butwithoutitupgradesofSimpleRiskwillrequiremanualdownloadsofthenewversion,backingupyourconfigurationfile,extractingthenewfiles,restoringtheconfigurationfile,andadatabaseupgrade.Itsoundslikemoreeffortthanitreallyis,butwe’vemadetheprocessfarsimplerifyou’rewillingtotelluswhoyouare.ToregisteryourSimpleRiskinstance,select“Configure”fromthemenuatthetopfollowedby“Register&Upgrade”fromthemenuattheleft.

Enteryourinformationandselectthe“Register”button.ThiswillcreateauniqueInstanceIDforyourSimpleRiskinstanceanddownloadtheUpgradeExtrawhichenablesfunctionalityforone-clickbackupsandupgrades.Ifyourunintoissueswiththeregistrationprocess,werecommendthatyouchecktoensurethatthe“simplerisk”directoryanditssub-directoriesarewriteablebythewww-datauser(orwhateveruserApacheisrunningas).

**ThiscompletesyourinstallationofSimpleRisk**

Page 9: INSTALL SIMPLERISK ON UBUNTU 14.04 (APACHE:MYSQL:PHP) · Install SimpleRisk on Ubuntu 14.04 Introduction SimpleRisk is a simple and free tool to perform risk management activities

SimpleRiskPaidSupportandExtrasEverythingthatyou’veseenuptothispointiscompletelyfreeforyoutoinstallanduse,forever.Thatsaid,weofferanumberofwaysforyoutoenhanceyourSimpleRiskinstancewithevenmorefunctionality.Ifyoulikewhatyousee,andfindituseful,pleaseconsiderpurchasingoneofourinexpensivePaidSupportplansorExtrafunctionalitysothatwecancontinuetoofferyouthebestopensourceriskmanagementtoolavailable.Thankyou!